Comments (5)
uk-bolly
commented on June 5, 2024
1
HI @ssarkar9
Thank you for taking the time to raise this issue, apologies for the time taking to respond, subscribers and other projects take priority im afraid.
Reading through the thread it appears;
1/ the gpg key details as found in vars/main.yml are no longer correct - these will need to be updated
The second thread appears to be more around 1.2.4 and gpg check for a repo.
2/ the repo_gpgcheck is indeed listed as known error, many repositories do not allow repo_gpg but only the package gpg themselves.. This is a case of understanding your systems and capabilities as some, do, some did and some just dont support this ( This is across all the repos we maintain).
Will look to raise item one as the actual issue. Please let me know if my understanding of your issue is correct.
many thanks
uk-bolly
from amazon2023-cis.
tburow
commented on June 5, 2024
amazonlinux/amazon-linux-2023#336
from amazon2023-cis.
stewartsmith
commented on June 5, 2024
Maybe this is more of a clarity of text issue than an issue with item 1.2.1 ?
To quote the CIS Amazon Linux 2023 Benchmark v1.0:
Take care to set this value to false (default) for particular repositories that do not support it.
Currently, that includes the AL2023 repositories that do not support it. Since the CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it, it doesn't conflict with 1.2.1 to not have repository metadata signed.
from amazon2023-cis.
ntndash
commented on June 5, 2024
When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error
Do we have a solution or workaround for this ?
Using packer to build and ansible to configure
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] ***
amazon-ebs.amazon_ami: ok: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] ***
amazon-ebs.amazon_ami: skipping: [default]
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] ***
amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"}
amazon-ebs.amazon_ami:
amazon-ebs.amazon_ami: PLAY RECAP *********************************************************************
amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0
amazon-ebs.amazon_ami:
from amazon2023-cis.
uk-bolly
commented on June 5, 2024
When I am running galaxy roles of amazon-cis benchmark for amazon linux 2023 ,I had this error Do we have a solution or workaround for this ?
Using packer to build and ansible to configure
amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys] *** amazon-ebs.amazon_ami: ok: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys] *** amazon-ebs.amazon_ami: skipping: [default] amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: TASK [AMAZON2023-CIS : 1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail] *** amazon-ebs.amazon_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Installed GPG Keys do not meet expected values or expected keys are not installed"} amazon-ebs.amazon_ami: amazon-ebs.amazon_ami: PLAY RECAP ********************************************************************* amazon-ebs.amazon_ami: default : ok=96 changed=34 unreachable=0 failed=1 skipped=22 rescued=0 ignored=0 amazon-ebs.amazon_ami:
I'm struggling to reproduce the error with 1.2.1 from the devel branch.
I have just updated the image to the latest and run again and still no issues seen.
here is the manual output.
I confirmed the gpg key in the first command matches the variable defined in vars/main.yml
ec2-user@az2023_host rpm-gpg]$ rpm -q gpg-pubkey
gpg-pubkey-d832c631-63977702
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702
Amazon Linux <[email protected]> d832c631
[ec2-user@az2023_host rpm-gpg]$ rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" gpg-pubkey-d832c631-63977702 | grep "Amazon Linux <[email protected]> d832c631"
Amazon Linux <[email protected]> d832c631
[ec2-user@az2023_host rpm-gpg]$ echo $?
0
Many thanks
uk-bolly
p.s. To highlight i am putting testing the devel branch, i will be pushing out a new release soon.
from amazon2023-cis.
Related Issues (20)
- CIS 5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enable does not account for extra characters on line HOT 3
- AMAZON linux 2023 unable to connect to ssm HOT 3
- Task 2.1.2 was not implemented properly HOT 1
- Rule 2.2.17 needs to mask the service as well as the socket
- Rule 4.2.20 needs a change of value in order to be compliant
- Rule 4.6.5 needs some fixes in order to be CIS compliant HOT 2
- Rules from section 1.6.1.x are not getting executed
- Rule 4.2.12 fails, because it does not edit all the needed sshd config files
- Improve documentation of variables in defaults/main.yml
- Rule 6.1.10 fails because the command does not retrieve the necessary files
- Wrong rule number in fail_msg from task "Ensure root password is set" in "tasks/main.yml"
- "PRELIM | capture /etc/password variables" contains wrong tags
- "PRELIM | 4.3.3 | Find all sudoers files." contains wrong rule number
- Multiple task rule "1.1.2.2, 1.1.2.3, 1.1.2.4" contains a wrong rule number
- Inconsistencies between rule titles, when conditionals and tags
- Some rules are missing the "PATCH" keyword, or the "|" character from the title
- A prelim task is not used anywhere HOT 1
- Duplicated 6.1.12 task
- "cis_5.3.yml" file is imported twice
- The 'amzn2023cis_use_authconfig' variable needs to be removed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon2023-cis.